
111Apple Platform Security
Two-factor authentication
To help users further secure their accounts, by default Apple uses two-factor
authentication — an extra layer of security for AppleIDs. It’s designed to ensure that only
the account’s owner can access the account, even if someone else knows the password.
With two-factor authentication, a user’s account can be accessed on only trusted devices,
such as the user’s iPhone, iPad, iPodtouch or Mac, or on other devices after completing
a verification from one of these trusted devices or a trusted phone number. To sign in for
the first time on any new device, two pieces of information are required — the AppleID
password and a six-digit verification code that’s displayed on the user’s trusted devices
or sent to a trusted phone number. By entering the code, the user confirms that they trust
the new device and that it’s safe to sign in. Because a password alone is no longer enough
to access a user’s account, two-factor authentication improves the security of the user’s
AppleID and all the personal information they store with Apple. It’s integrated directly
into iOS, iPadOS, macOS, tvOS, watchOS and the authentication systems used by Apple
websites.
When a user signs in to an Apple website using a web browser, a second factor request is
sent to all trusted devices associated with the user’s iCloud account, requesting approval
of the web session. If the user is signing in to an Apple website from a browser on a trusted
device, they see the verification code displayed locally on the device they’re using. When
the user enters the code on that device, the web session is approved.
Password reset and account recovery
If an AppleID account password is forgotten, a user can reset it on a trusted device. If a
trusted device isn’t available and the password is known, a user can use a trusted phone
number can be used to authenticate through SMS verification. In addition, to provide
immediate recovery for an AppleID, a previously used passcode can be used to reset
in conjunction with SMS. If these options aren’t possible, the account recovery process
must be followed. For more information, see the Apple Support article How to use account
recovery when you can’t reset your AppleID password.
Managed AppleID security
Managed AppleIDs function much like an AppleID but are owned and controlled by
enterprise or educational organisations. These organisations can reset passwords, limit
purchasing and communications such as FaceTime and Messages, and set up role-based
permissions for employees, staff members, teachers and students.
For Managed AppleIDs, some services are disabled (for example, ApplePay, iCloud
Keychain, HomeKit and Find My).
Inspecting Managed AppleIDs
Managed AppleIDs also support inspection, which allows organisations to comply with
legal and privacy regulations. An Apple School Manager administrator, manager or teacher
can inspect specific Managed AppleID accounts.
Inspectors can only monitor accounts that are below them in the organisation’s hierarchy.
For example, teachers can monitor students, managers can inspect teachers and students,
and administrators can inspect managers, teachers and students.